https://www.orchest.io/ logo
#tech-support
Title
# tech-support
r

Rafael Rodrigues Santana

05/15/2023, 8:37 PM
[Securing orchest cluster]
Hello guys, we're implementing some security measures in our orchest cluster. I was not the one that have created our deployment process in the past... We were thinking about using AWS WAF to secure it. However, since our load balancer is of type network (layer 4), WAF is not compatible. Is there a reason for orchest to create a Network Load Balancer instead of a Application Load Balancer? Here is our manifest:
Copy code
apiVersion: v1
kind: Service
metadata:
  annotations:
    <http://service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout|service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout>: "60"
    <http://service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled|service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled>: "true"
    <http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>: ....
    <http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>: https
    <http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>: nlb
    <http://service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags|service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags>: environment=....
  labels:
    <http://app.kubernetes.io/component|app.kubernetes.io/component>: controller
    <http://app.kubernetes.io/instance|app.kubernetes.io/instance>: ingress-nginx
    <http://app.kubernetes.io/name|app.kubernetes.io/name>: ingress-nginx
    <http://app.kubernetes.io/part-of|app.kubernetes.io/part-of>: ingress-nginx
    <http://app.kubernetes.io/version|app.kubernetes.io/version>: 1.3.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Local
  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: tohttps
  - appProtocol: https
    name: https
    port: 443
    protocol: TCP
    targetPort: http
  selector:
    <http://app.kubernetes.io/component|app.kubernetes.io/component>: controller
    <http://app.kubernetes.io/instance|app.kubernetes.io/instance>: ingress-nginx
    <http://app.kubernetes.io/name|app.kubernetes.io/name>: ingress-nginx
  type: LoadBalancer
j

Jacopo

05/16/2023, 7:53 AM
Hi Rafael, in principle I don't see why you couldn't go with an ALB rather than a NLB assuming the due diligence checks take place. You might have to double check the controller for any quirky behaviour around balancers (not that I know of, but I wasn't fully involved with the controller) and the logs streaming since they go through websocket
I didn't have the chance to work with WAF so I can't really help with any knowledge in that direction sadly
r

Rafael Rodrigues Santana

05/16/2023, 3:34 PM
I was able to workaround this, it's an issue of the ingress-controller itself, it seems that it's not compatible (directly at least) with application load balancers, just classic and network load balancers. However, we were able to use a load balancer by changing the service type to NodePort and forwarding requests from an existing load balancer to the node port.
👏 1
j

Jacopo

05/17/2023, 6:50 AM
Happy to hear you found a workaround 🙂
8 Views